The General Data Protection Regulation of the European Union (GDPR), will take effect on May 25, 2018. GDPR is the European Union’s (EU) comprehensive privacy law that aims to protect the personal data—and rights related to that data—of persons residing within the EU.
GDPR defines personal data as “any information relating to an identified or identifiable natural person.” A person’s name and email address, both are examples of personal data. Any organization that processes personal data of EU residents will be required to comply with the GDPR, whether or not such companies have any physical or legal presence in the EU. Thus, the GDPR applies globally to any organization which collects personal data or monitors the behavioral activity of persons located within the European Union.
Why is the GDPR important?
The GDPR is an unparalleled privacy regulation in terms of its depth, breadth, and impact. Many organizations are required to comply with the regulation, and the regulation is chock full of new requirements for controllers and processors. Noncompliance fines for GDPR may be imposed up to the greater of €20 MM or 4% of global revenue.
Is there any grace period granted to become GDPR compliant?
Even though the GDPR was adopted in April 2016, it will officially take effect from May 25th, 2018. All organizations having a physical or legal presence in EU must be fully compliant by then, Authorities have informed that there is no transition or “grace period” granted, and penalties will be placed on organizations who fail to comply.
Does the General Data Protection Regulation apply to me?
The current European Union legislation (the 1995 EU Data Protection Directive) governs entities within the EU. GDPR’s territorial scope is far wider in that it will also apply to non-EU businesses who:
- Market their products to people in the EU.
- Monitor the behavior of people in the EU.
In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
How Does the GDPR Affect SalesboxAI and It’s Customers?
For the purposes of the GDPR, SalesboxAI is a “data processor” in most cases (i.e., an organization that processes personal data on behalf of a data controller, typically in the context of providing services to the data controller) and our customers are typically “data controllers” (i.e., individuals or organizations that determine the purposes and means of the processing of personal data). Under the GDPR, individuals whose personal data are being processed are referred to as “data subjects.”
Processors and controllers each have their respective obligations under the law. Therefore, even though SalesboxAI may be in compliance with the GDPR, it does not mean that our customers are automatically in compliance with the GDPR.
Responsibilities of Data Controllers
Data controllers are individuals or organizations that determine the purposes and means of processing personal data. Data controllers bear the primary responsibility for complying with the rights of data subjects and responding to data subjects’ requests under the GDPR. For example, when a data subject makes a lawful request to access, correct, update, delete, or restrict the processing of his or her personal data, the GDPR obliges the data controller to respond and, presuming the request is reasonable and does not infringe the rights of others, to fulfill that request.
Data controllers are also required to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data, to provide information about the personal data being processed, the purposes of that processing, and the third parties to which that information will be transferred, among other things. Finally, the GDPR imposes duties of transparency and “data protection by design and by default,” which require the open, intelligible sharing of relevant privacy information and considering the privacy of personal data when undertaking new initiatives or developing new products or services. These are just a few of the various controller-related provisions of the GDPR.
Responsibilities of Data Processors
A data processor only processes data according to the documented instructions of a data controller. While a processor does have certain obligations to support and assist the data controller in upholding its own obligations, such as informing the controller of requests it receives from data subjects, its relationship to the personal data and the data subjects themselves is comparatively quite restricted.
The GDPR regulation can be summarized to 8 important points. For each point, we will explain how SalesboxAI handles its compliance.
• Right to be informed: SalesboxAI clearly informs our users about the use that will be made of their data.
• Right of access: users can access their data (all of them), without any restrictions.
• Right of rectification: users can rectify their queries as simple as contacting us.
• Right of erasure: users can delete their personal information upon request
• Right to restrict processing: SalesboxAI users will have the right to restrict processing
• Right to data portability: our users may contact us anytime if they wish to transmit their data.
• Right to object: users will have the right to object to processing and direct marketing, including the right to retract previously given consent
• Right not to be subject to automated decision-making including profiling: users will have the right to object to automated decision making.